In an earlier article, we introduced the Notifiable Data Breach (NDB) Scheme which provides a compulsory procedure for agencies and organisations (including small businesses) to follow in the event of a data breach. However, prevention is better than cure, and having tools in place to minimise a data breach from occurring will do your business a world of good. But where to start? Here are seven steps and strategies to prepare and boost your cyber security. In the meantime, it may also be wise to read OAIC’s resources as well as consult a privacy lawyer for professional advice.
1. Governance, Culture and Training
Insufficient interest or awareness of cyber-security among staff may lead to threats of data breaches being ignored and not properly attended to. Therefore, it is important to foster a privacy and security-conscious culture among your staff through appropriate training, resourcing and management focus, such as:
- Compulsory induction training sessions on cyber-security for new staff.
- Regular cyber-security training sessions for regular staff.
- Appointing a body or officer(s) who oversees, enforces and also trains staff on the business’s cyber-security policy.
2. Internal Practices, Procedures and Systems
Whereas the previous step focused on the culture and awareness of cyber-security (‘soft’ strategy), this current step is about enforcing rules and policy (‘hard’ strategy’). In general, your cyber-security policy should cover or require:
- Mandatory procedure (mirroring the NDB Scheme) on how to identify and report data breaches.
- Procedures for oversight, accountability and lines of authority for decisions relating to personal information security.
- Procedures for the storage of sensitive information at work and at home.
- Minimum standards and rules relating to use of end-user mobile devices and ‘Bring Your Own Device’ (BYOD).
According to the APP code, the internal practices and procedures of your business must be documented, regularly reviewed and updated.
3. ICT Security
This refers to measures which protect both your hardware and software from misuse, interference, loss, unauthorised access, modification and disclosure. ICT security covers:
- Software Security and Encryption: this includes your website and applications
- Network Security: This includes firewalls, detection system, blocking unauthorised downloads and WiFi security
- Whitelisting and Blacklisting: This involves controlling the content, application or entities that are allowed to run on or access a device or network
- Testing: Regular testing will help you discover any security weakness or configuration reviews
- Backing Up and Email Security: Obtaining physical hard copies or cloud-based storage as back-up
4. Access Security
This involves monitoring controls that protect your firm’s data from unauthorised access by hackers. Measures include:
- Truster Insider Risk: This includes limiting disclosure of personal information to those staff necessary to enable your business to carry out its functions and activities.
- Identity Management & Authentication: This helps to delineate between authorised and also unauthorised accessors.
- Passwords & Pass-Phrases: Involves having minimum length and character requirements, regular password updates, and also shared or unique passwords for staff.
5. Physical Security
This covers steps which prevent unauthorised physical access to both your soft and hard copies of your business’s data. Measures could include:
- Alarm systems (i.e. to control entry to workplace)
- Location and lock security of file storage rooms
- Camera systems (i.e. to detect unauthorised accessors)
6. Third Party Providers
If you use cloud service providers or other third parties to store your data, it is important that you understand their information handling practices (including terms and conditions) so as to ascertain any risks and protect yourself accordingly.
7. Destruction and Self-Identification
Where an entity holds personal information it no longer needs for a purpose that is permitted under the APPs, it must ensure that it takes reasonable steps to destroy or de-identify the personal information.
Therefore, you should consider establishing a procedure for the destruction of electronic (e.g. disk formatting) and physical data (e.g. shredding or burning). Whatever destruction method you use, the APP Code requires for the destroyed data to become ‘beyond use’ and ‘irretrievable’.
Conclusion
It is important that you establish or improve your cyber-security so that you can identify and respond effectively to future data breaches in line with the NDB Scheme. However, if you have adequate measures in place, you may be able to avoid any breaches occurring.
